This application makes use of the following acronyms generally known to those skilled in the art:
HyperText Transfer Protocol (HTTP)
Internet Engineering Task Force (IETF)
Point-to-Point Protocol (PPP)
Public Land Mobile Network (PLMN)
Secure Sockets Layer (SSL)
Transmission Control Protocol/Internet Protocol (TCP/IP)
Transport Layer Security (TLS)
WAP Datagram Protocol (WDP)
Wireless Application Protocol (WAP)
Wireless Application Environment (WAE)
Wireless Markup Language (WML)
Wireless Session Protocol (WSP)
Wireless Transaction Protocol (WTP)
Wireless Transport Layer Security (VTLS)
World Wide Web Consortium W3C
1. Technical Field of the Invention
The present invention relates to WAP sessions between a mobile terminal and a WAP gateway, and more particularly, to the organization of protocol layers in a WAP gateway.
2. Description of Related Art
When building a virtual private network for corporate users that is accessible by mobile terminals, such as laptop computers, mobile telephones and the like, there exists no standardized manner for building a so-called xe2x80x9cdemilitarized zonexe2x80x9d that enables for the authentication of users of mobile terminals accessing the network via a wireless application protocol (WAP) prior to actually giving a user access to the corporate network. On the internet, a request/response or challenge mechanism may be used where typically the point-to-point protocol (PPP) or remote access server queries an accessing user for his user name, prompts the user for a challenge, and reads any password provided by the user in response to the challenge. This occurs prior to actually providing access to the user. Existing mechanisms for authorizing access of a WAP terminal to a network are inconvenient and have a number of security concerns.
Authentication can be done using a mechanism known as HTTP Basic Authentication, where the originating server (e.g., an internet server) first must receive a request from the terminal device in order to respond with an authentication request to the terminal. This, of course, requires the terminal to already be connected to the network, and even the private network. Authentication can also be done in the gateway, e.g., by allowing users of mobile terminal devices to configure a gateway password and user ID. Alternatively, this is done in the access server. These methods are very inflexible, and if a more secure method, such as using one-time passwords, secure cards, etc, is used for entering the corporate network, an excessive amount of work for the user is required. Current terminals do not allow users to get a xe2x80x9cterminal windowxe2x80x9d similar to the one available in, for example, Windows 98, where dynamic passwords can be entered. Thus, some manner for providing an unproved authorization process for mobile terminals accessing virtual private networks is desired.
The present invention overcomes the foregoing and other problems with a WAP gateway interconnecting a PLMN network and a second private data network. The WAP gateway includes a first stage proxy and a second stage proxy. The first stage proxy is located on a first side of a firewall of the second network and includes the WDP layer of the WAP protocol stack. The remaining layers of the WAP protocol stack are located within a second stage proxy located on the other side of the firewall of the second network. Responsive to requests provided from a mobile terminal, the WDP layer of the first stage proxy may communicate with protocol layers within the second stage proxy using SSL/TLS tunneling. As a result, authentication is needed only once, at the first request to access the private data network, and all subsequent requests within the session are tunneled directly through the firewall.